registry  /  @claudiolabs/claudin  /  0.7.4

@claudiolabs/claudin@0.7.4

⚠ Under review

Claudin — Claude Code opened to any LLM (OpenAI, Gemini, DeepSeek, Ollama, and 200+ models)

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 24 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 455 file(s), 8.16 MB of source, external domains: 1.1.1.1, 127.0.0.1, 169.254.169.254, 169.254.170.2, a.co, anthropic.com, api.anthropic.com, api.cloudflare.com, api.deepseek.com, api.githubcopilot.com, api.groq.com, api.kimi.com, api.minimax.io, api.mistral.ai, api.moonshot.ai, api.openai.com, api.together.xyz, api.x.ai, api.z.ai, app.corridor.dev, auth.openai.com, beacon.claude-ai.staging.ant.dev, bedrock-runtime.us-east-1.amazonaws.com, chatgpt.com, clau.de, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, code.claude.com, coding-intl.dashscope.aliyuncs.com, coding.dashscope.aliyuncs.com, docs.anthropic.com, docs.aws.amazon.com, docs.claude.com, docs.expo.dev, duckduckgo.com, example.com, external-content.duckduckgo.com, fonts.googleapis.com, gateway.ai.cloudflare.com, generativelanguage.googleapis.com, git-scm.com, github.com, hooks.example.com, integrate.api.nvidia.com, json-schema.org, json.schemastore.org, links.duckduckgo.com, llm.bankr.bot
Oversized source lightweight scan
dist/chunks/cli-0.7.4-1tkzz9x6.mjs3.47 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringsexample.comraw.githubusercontent.com

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-warmup.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/chunks/openaiShim-0.7.4-mwtq6jnq.mjsView file
11patternName = generic_password severity = medium line = 11 matchedText = [Content...in(`
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/chunks/openaiShim-0.7.4-mwtq6jnq.mjsView on unpkg · L11
dist/chunks/cli-0.7.4-2apswqf5.mjsView file
1import{B0 as AO,G0 as PF}from"./cli-0.7.4-jgswqtvj.mjs";import{$0 as i3,H0 as u9,I0 as E9,J0 as g9,K0 as G6,L0 as L1,M0 as uG,N0 as CZ,O0 as AB,P0 as PQ,Q0 as MB,R0 as Q6,S0 as q0,... L2: `)G.name="enter";else if(Z==="\t")G.name="tab";else if(Z==="\b"||Z==="\x1B\b")G.name="backspace",G.meta=Z.charAt(0)==="\x1B";else if(Z===""||Z==="\x1B")G.name="backspace",G.meta=...
High
Child Process

Package source references child process execution.

dist/chunks/cli-0.7.4-2apswqf5.mjsView on unpkg · L1
dist/chunks/hookChains-0.7.4-3eqqv9t2.mjsView file
1import{Px as kj,oE as jj,qA as M,rA as Cj,uE as Kj,zx as t}from"./cli-0.7.4-1tkzz9x6.mjs";import"./cli-0.7.4-ge77h9d7.mjs";import"./cli-0.7.4-e2bhfh6d.mjs";import"./cli-0.7.4-6cft4... L2: `)}function ej(j,q,G){let A=_(G.payload),F=U(A),J={EVENT_NAME:G.eventName,OUTCOME:G.outcome,RULE_ID:q.id,PAYLOAD_JSON:F,ERROR:Y(A,["error","reason"])??"",TASK_SUBJECT:Y(A,["task_su... L3: `);return{summary:O,body:P}}async function tj(j){let{action:q,rule:G,event:A,runtime:F}=j;if(F.signal?.aborted)return{status:"skipped",reason:"aborted"};if(!F.onSpawnFallbackAgent)...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunks/hookChains-0.7.4-3eqqv9t2.mjsView on unpkg · L1
dist/chunks/index-0.7.4-9z6mgm05.mjsView file
1import{Hqa as u,Kqa as k}from"./cli-0.7.4-p85h0qry.mjs";import{Pqa as f,Qqa as y}from"./cli-0.7.4-58p1wenr.mjs";function j(z){return new Promise((G,U)=>{let K=g.request({method:"GE... L2: For more information, please visit: `+Xz);let Q=z.originalExpiration??z.expiration;return{...z,...Q?{originalExpiration:Q}:{},expiration:K}},Zz=(z,G={})=>{let U=G?.logger||console,...
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/chunks/index-0.7.4-9z6mgm05.mjsView on unpkg · L1
dist/chunks/index-0.7.4-sajaaw7k.mjsView file
20contains invisible/control Unicode U+200B (zero width space) \v\f\r\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F !"#$٪&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_\`abcdefghijklmnopqrstuvwxyz{|}~°·∙√▒─│┼┤┬├┴┐┌└┘β∞φ±½¼≈«»ﻷﻸ��ﻻﻼ� ­ﺂ£¤ﺄ��ﺎﺏﺕﺙ،ﺝﺡﺥ٠١٢٣٤٥٦٧٨٩ﻑ؛ﺱﺵﺹ؟
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/chunks/index-0.7.4-sajaaw7k.mjsView on unpkg · L20
dist/chunks/bridgeMain-0.7.4-m4rjydb5.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @claudiolabs/claudin@0.7.1 matchedIdentity = npm:QGNsYXVkaW9sYWJzL2NsYXVkaW4:0.7.1 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunks/bridgeMain-0.7.4-m4rjydb5.mjsView on unpkg
1Cross-file remote execution chain: dist/chunks/bridgeMain-0.7.4-m4rjydb5.mjs spawns dist/chunks/cli-0.7.4-2apswqf5.mjs; helper contains network access plus dynamic code execution. L1: import{pb as yJ,qb as xz,rb as rz,sb as cz,tb as iz,ub as bJ}from"./cli-0.7.4-h24m11yy.mjs";import{wb as Tz}from"./cli-0.7.4-h5274d0h.mjs";import{Eb as TJ,Fb as xJ,Gb as MJ,Hb as w... L2: `).filter((K)=>K.length>0)}function GJ(z){let J=z.write??(($)=>process.stdout.write($)),K=z.verbose,Y=0,O="idle",Z="Ready",R="",B="",U="",F="",L="",A=null,N=[],M=!1,E=null,P=0,x=0,... L3: `)){if(Gz.length===0){w++;continue}let Nz=sz(Gz);w+=Math.max(1,Math.ceil(Nz/j))}if($.endsWith(` ... L31: `),$)m(`${G.red($)} L32: `)},updateSessionStatus($,j,w,Gz){if(w.type==="tool_start")E=w.summary,P=Date.now();p()},clearStatus(){t(),a()},toggleQr(){M=!M,p()},updateSessionCount($,j,w){if(x===$&&_===j&&k===... L33: `);if(N.length>=eJ)N.shift();N.push(f)});if(F.stdout)HJ({input:F.stdout}).on("line",(f)=>{if(Z)Z.write(f+` L34: `);if(z.onDebug(`[bridge:ws] sessionId=${J.sessionId} <<< ${mz(f)}`),z.verbose)process.stderr.write(f+` L35: `);let k=$K(f,J.sessionId,z.onDebug);for(let b of k){if(L.length>=sJ)L.shift();L.push(b),A=b,z.onAc…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunks/bridgeMain-0.7.4-m4rjydb5.mjsView on unpkg · L1
dist/claudin-vscode.vsixView file
path = dist/claudin-vscode.vsix kind = high_entropy_blob sizeBytes = 91168 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/claudin-vscode.vsixView on unpkg
path = dist/claudin-vscode.vsix kind = compressed_blob sizeBytes = 91168 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/claudin-vscode.vsixView on unpkg
path = dist/claudin-vscode.vsix kind = nested_archive_needs_inspection sizeBytes = 91168 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/claudin-vscode.vsixView on unpkg
dist/chunks/cli-0.7.4-1tkzz9x6.mjsView file
path = dist/chunks/cli-0.7.4-1tkzz9x6.mjs kind = oversized_source_file sizeBytes = 3642875 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunks/cli-0.7.4-1tkzz9x6.mjsView on unpkg
dist/chunks/cli-0.7.4-wv6x6pzr.mjsView file
1patternName = generic_password severity = medium line = 1 matchedText = import{E...tml>
Medium
Secret Pattern

Hardcoded password in dist/chunks/cli-0.7.4-wv6x6pzr.mjs

dist/chunks/cli-0.7.4-wv6x6pzr.mjsView on unpkg · L1

Findings

2 Critical8 High7 Medium7 Low
CriticalTrojan Source Unicodedist/chunks/index-0.7.4-sajaaw7k.mjs
CriticalPrevious Version Dangerous Deltadist/chunks/bridgeMain-0.7.4-m4rjydb5.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunks/cli-0.7.4-2apswqf5.mjs
HighShell
HighCloud Metadata Accessdist/chunks/index-0.7.4-9z6mgm05.mjs
HighCross File Remote Execution Contextdist/chunks/bridgeMain-0.7.4-m4rjydb5.mjs
HighObfuscated
HighShips High Entropy Blobdist/claudin-vscode.vsix
HighOversized Source Filedist/chunks/cli-0.7.4-1tkzz9x6.mjs
MediumSecret Patterndist/chunks/openaiShim-0.7.4-mwtq6jnq.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Compressed Blobdist/claudin-vscode.vsix
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/chunks/cli-0.7.4-wv6x6pzr.mjs
LowScripts Present
LowWeak Cryptodist/chunks/hookChains-0.7.4-3eqqv9t2.mjs
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNested Archive Needs Inspectiondist/claudin-vscode.vsix